Request jvm truststore and jssecacerts file?

I have two https web apps app1 and app2 installed on two different cats t1 and t2 (t1 and t2 on different machines). when in app1 I make url connection to app2 I get SSL handshake error. The reason is that I am using a self signed certificate in app 2 which is not in app1 jvm truststore. So the correct approach to fix is ​​it installs the self signed certificate in JAVA-HOME / jre / lib / security. To do the same, I followed the steps given at . The same steps are suggested in different forums. But still I get the same SSL handshake attempt which PKIX path   building failed:
provider.certpath.SunCertPathBuilderException: unable to find valid certification path to   requested target
at Source)


Though I got rid of that SSLHandshakeException by specifying below options in JVM store. = C: .keystore = changeit

My question here is why the first approach (which is the correct approach). If putting jssecacerts file in / lib / security doesn't work? Another point is what is different between the first and second approaches?


source to share

2 answers

Though I got rid of this SSLHandshakeException by mentioning the options in the JVM store below. = C: .keystore = changeit

It is not clear what you were trying to do with these parameters. Either you use the default trust store (usually if it exists, otherwise ), or you specify your own. tends to be used as a key store rather than trust (although there is no default JSSE value). (By the way, I would also specify the full path instead .) jssecacerts




It's probably better to make a copy of the original file cacerts

(or jssecacerts

) (remove the extra one you put in if you changed something) and add your remote certificate to it (i.e. app2 cert in app1 copy and app1 cert in app2 if necessary).

You can list the certificates with keytool -list -keystore keystore.jks

(see help for advanced options if needed).

You can export the certificate using keytool -export -keystore server1-keystore.jks -alias server_alias -file server1.crt


Then import it into another trust store: keytool -import -keystore client2-truststore.jks -file server1.crt

. ( client2-truststore.jks

Will be a copy here cacerts

.) Then configure your JVM to use Apache Tomcat (not necessarily the Tomcat connector). You have to set JVM parameters to




My question is why the first approach (which is the correct approach) i.e. put jssecacerts file in / lib / security doesn't work?

To answer your question in more detail, I just double checked a clean install of Oracle JRE 6 (1.6.0_31) and jssecacerts

takes precedence over cacerts

if present (as described in the JSSE Ref Guide, so there seems to be no error). I'm not sure where Oracle moved the Andreas Sterbenz Sun blog, so I'm not sure which copy InstallCert

you were using. I think something didn't work out there.

As far as I know, InstallCert

connects to the server to get its certificate (replacing the export step above): you are actually assuming that the certificate you get the first time you connect is correct (and may be trusted). You can also obtain this certificate using OpenSSL . However, in your case, you seem to have control over the two servers and their respective keystores, so you can also use keytool -export


Another point is what is different from the first and second approaches?

The first approach (change jssecacerts

) sets the configuration for all applications that will use this JRE installation, while the second will apply these settings to the JVM only after Apache Tomcat has started.

Please note that if you did not have a file jssecacerts

, but only a file cacerts

, if you only import your certificate into jssecacerts

, it cacerts

will be ignored, which means you will not be able to connect to servers that have a certificate issued by the CA, which will usually be trusted by default. Therefore, it is useful to start with a copy of the default file. (Also, if your app also connects to other sites that are generally trusted by default, that might also explain why you get this error message elsewhere this time.)

It is ultimately your responsibility to verify that in jssecacerts



IMPORTANT NOTE: The JDK comes with a limited number of trusted root certificates in the / lib / security / cacerts file. As stated in keytool, you are responsible for maintaining (i.e. adding / removing) the certificates contained in this file if you use this file as a trusted store.

Depending on the certificate configuration of the servers you are communicating with, you may need to add additional root certificates. Obtain what you need from the appropriate supplier.



The difference is that you added the certificate to the wrong trust file :). JUST System Truststore is not jssecacerts but just cacerts in $ {JRE_HOME} / lib / security /. You were creating a new trust that the JRE is not aware of. Adding the certificate to the proper store will solve your problem. However, let me warn you that it is not recommended to add your own CA certificates to the truststore. Add them to the user's trust store and use it the way you do in the second option.



All Articles